b'                                                                               Report In Brief\n                                                                                      EVALUATION OF FTC\xe2\x80\x99s PROGRAM AND PRACTICE\n                                                                                                                                                        JANUARY 2012\n\n\n\n\n                                                                                                                                              December 2011\n\n\n                                                                                                                                    INFORMATION\n                                                     What We Found\n                                                                                                                                       SECURITY\nWhy We Did This Study\n                                                                                                                                            Fiscal Year 2011\nThe    Federal      Information           Security\n                                                     The evaluation showed that the FTC has\n                                                                                                                                                             AR 12-002\nManagement        Act    of    2002       (FISMA)    established an information security program\nrequires federal agencies, including the             that   is   in    substantial      compliance        with\nFederal Trade Commission (FTC), to\n                                                     applicable security and privacy requirements.               \xe2\x80\x9cclouds,\xe2\x80\x9d an approach that is intended to\ndevelop, document, and implement an                                                                              reduce costs while increasing the capability to\nagency-wide        information            security   In FY 2010, the FTC security efforts were                   scale services to fluctuating requirements\nprogram.    FISMA also             requires each     hampered by deficient performance resulting\nInspector General (IG) to conduct an                 from the conversion of its infrastructure                   The FTC increased the coordination of its\nannual independent evaluation of its                 support to a performance-based contract. In                 information assurance and privacy programs                     \t\nagency\xe2\x80\x99s information security program                FY 2011, the FTC Office of the Chief                        through its Privacy Steering Committee (PSC)\nand practices.                                       Information Officer (OCIO) executed a special               in FY 2011. The increased coordination\n                                                     effort to mitigate the infrastructure concerns.             recognizes that information assurance and\nThe Office of Inspector General (OIG)                This effort required the OCIO staff to perform              privacy requirements must be fully integrated\ncontracted with Allied Technology Group,             much of the security-related infrastructure                 to successfully protect FTC information assets.\nInc. (Allied Technology) to perform the FY           work that had been included in the support\n2011 IG FISMA evaluation of the FTC                  contract and at the same time continue to                   The status of the FTC information assurance\ninformation      assurance          and    privacy   advance     the    FTC    information      assurance        and privacy programs were summarized in the\nprograms.                                            program.    The      OCIO       effort   was    largely     DHS     FISMA       reporting     metrics       submitted\n                                                     successful in mitigating immediate security                 through    Cyberscope.           As    stated     in     the\nThe   objective     was       to     provide    an\n                                                     vulnerabilities and establishing the foundation             Cyberscope metric report, the IG independent\nevaluation of the effectiveness of the FTC\n                                                     for a successful, cost effective information                evaluation of the FTC information assurance\ninformation      assurance          and    privacy\n                                                     assurance program.                                          and    privacy       programs         resulted      in    a\nprograms and compliance with OMB and\n                                                                                                                 determination      that    the    programs        provide\nNational    Institute   of    Standards        and\n                                                     The FTC Information Security Program is                     reasonable assurance that FTC information\nTechnology (NIST) guidance. This is a\n                                                     documented in a number of policies and                      assets are adequately protected, but there are\npublic version of a sensitive report that we\n                                                     procedures that define a program structure                  opportunities      for    improvement.        The      FTC\nissued in December 2011.\n                                                     compliant with FISMA requirements. The                      information assurance and privacy programs\n                                                     OCIO has an ongoing effort to ensure that                   continue to evolve: Controls are being added\n                                                     FTC policies and procedures remain current                  and enhanced to address threat, vulnerability,\nWhat We Recommend\n                                                     with   governmentwide           guidance       and     is   and requirements changes; Planning practices\n                                                     developing a multi-volume document (The                     are being enhanced to incorporate security\nTo improve FTC security and privacy\nprograms and bring them current with\n                                                     Federal     Trade      Commission         Information       and privacy requirements at all levels of\nOMB        and    NIST        guidance,        we    Security Program Handbook) that consolidates                information system planning, from enterprise\nrecommended improvements in the areas                FTC    security     practices.     The    modernized        to    individual     system;          and    Continuous\nof risk management, capital planning, and            environment includes increased acquisition of               monitoring practices are being instituted to\ninformation       security           continuous      application services under a performance-                   provide FTC management with the current\nmonitoring program.                                  based contracting approach. The FTC is also                 status and \xe2\x80\x9chealth\xe2\x80\x9d of the FTC information\n                                                     exploring opportunities to securely move FTC                assurance and privacy programs.\n                                                     business     applications         into   commercial\n\x0c'